Recently, the U.S. Department of Health and Human Services (HHS) concluded its investigation on the Lifespan Health System data breach, which took place in 2017. As a result, the non-profit health system based in Rhode Island has agreed to pay $1,040,000 to the Office for Civil Rights (OCR) at the HHS and to implement a corrective action plan to settle potential violations of the Health Insurance Portability and Accountability Act (HIPAA) Privacy and Security Rules related to the theft of an unencrypted laptop.  

The breach affected 20,431 individuals. In addition to the monetary settlement, Lifespan has agreed to a corrective action plan that includes two years of monitoring. 

Here, we speak to Saad Gul, Co-Chair of the Poyner Spruill, LLP, privacy and cybersecurity team, and learn about the case, what it means for data security professionals, why this case emphasizes the importance of encrypting all mobile data devices and why the HSS ruling should be a warning to all companies with HIPPA information. 

Security magazine: What is your title and background?

Saad Gul:  I’m a partner with Poyner Spruill LLP in Raleigh, N.C. I’ve been a computer geek going back to my Commodore 64 in 1986. I worked at the Computer Center while attending Davidson College. After graduation, went to work for Cambridge Technology Partners out of Cambridge, Massachusetts.

It sounds like the 1950s now, but the late 1990s was a very exciting time. A lot of what we see now (electronic reservations, payments through phones, Uber, Amazon, RFID) was just getting started, or was on the drawing board.

Then when I had enough of consulting, I went to law school. I clerked for the Chief Judge of the North Carolina Court of Appeals, and a Justice of the North Carolina Supreme Court. Then, I joined Steptoe & Johnson LLP in Washington, D.C.

Computer issues began showing up in our matters. First on the periphery, and then at the heart of the matter. Insurance was a big one. Contracts was another. In many ways, Steptoe was the heart of cybersecurity law because of Stewart Baker. Stewart had been General Counsel of the US National Security Agency (NSA). He’s probably the expert in this area.

So it drew my interest. A couple of moves later, a slot at Poyner opened up. I recalled Poyner as a highly respected firm from my clerking days. And I had friends there, so it seemed the natural transition. I am still here four and half years later.

Security magazine: As a result of the investigation, what will Lifespan Health System Affiliated Covered Entity have to implement?

Saad Gul: Well, there is the fine of a million dollars obviously. And then there is the two-year Corrective Action Plan.

For readers who are interested in the full nuts and bolts of the plan, it is available on the HHS OCR website. But I read it to require five major steps:

• First, LifeSpan must disclose details about its affiliated covered entities to HHS.
• Second, it has to revise its Business Associate Agreement (BAA) policies. HHS must review and approve the policies. Lifespan must designate an officer with the responsibility for overseeing BAAs. The officer also evaluates Lifespan’s relationships to assess the need for a BAA.
• Three, it must develop device control procedures. Again, HHS will vet and approve these procedures.
• Fourth, Lifespan must train employees and contractors on these device control procedures. It must investigate any potential violation of the procedures. Violations must be reported promptly to HHS.
• Finally, Lifespan must submit a compliance report to HHS. This verifies that the new policies and procedures are in place. And Lifespan must confirm that personnel have been trained on the new policies and procedures.

Security magazine: What does this mean for Lifespan and other health systems, especially those who suffer data breaches?

Saad Gul: It means that an ounce of prevention is worth a pound of cure. Look, with COVID-19, folks are appreciating the value of their health information.

Many of the steps required by the Corrective Action Plan are good cyber-hygiene practices anyway. Health systems should be looking at their BAAs. They should be assessing if BAAs cover all the business relationships they should. They need policies concerning every device that has health data. And personnel should be trained.

The message is “you need to be doing this.” HIPAA requires it. The Security Rule requires it. The Privacy Rule requires it. And if you are not going to do it – not out of malice, but because its not a priority – then HHS will come make you do it.

So if you have HIPAA protected information, be ahead of the curve. Do what you should be doing. Do it before a mishap. Because the cleanup is going to be messy. It is going to be expensive. And you’re going to need a lot of approvals. And get a lot of permissions. For a long time.

Do yourself a favor. Protect your data proactively. Save the heartburn.

Security magazine: What does this mean for all data security professionals?

Saad Gul: Look, it’s the fundamentals. It is always the fundamentals. HIPAA is 24 years old. The details have evolved. But the basics have not.

Its like diet and exercise. Everyone knows they should. Everyone would like to. But they often don’t. Well, everyone knows they have to protect data. Everyone knows that if you are going to transfer data, you need a BAA. You need a risk assessment. You need to monitor threats. You need backups for ransomware. You need encryption. And there’s probably a dozen or so fundamentals that everyone in the industry knows.

So for security leaders, the bottom line is simple, if brutal. The technology may be complex. But the compliance is not. Go ahead and do it. Compliance, security, they tend to be high importance, but low priority. It is always the item that can be deferred to the next quarter. Something that be cut – temporarily of course – from the budget.

What HHS is saying is, be careful with that. You’re not taking a calculated risk. You’re gambling with the security of patient’s data. And if you lose that bet, whether through an incident, or something else bringing you on HHS radar, that is going to cost you heavily. Not just in dollars. Not just in remediation. But in terms of autonomy. In terms of having to get your compliance papers approved. In terms of having HHS watch you for years.

So do yourself a favor. Take those steps now. On your own terms. Before HHS makes you do it on theirs.

Security magazine: What is the importance of encrypting all devices which may generate data?

Saad Gul: Think of encryption like a parachute. Or like money in the bank. Hopefully you have a good system in place. Everything works like it should. You don’t need the parachute. And you don’t need to draw on the money in the bank. No harm done. It's there.

But real life, as we’re all too aware now, is messy. It does not work that neatly. There are unanticipated events. The best laid plans go awry. It’s Murphy’s law of combat - you plan for the enemy to attack from all four directions. The enemy will always opt for the fifth one.

So if you have an issue that you did not anticipate, encryption is your insurance. Maybe someone accessed your data in some unanticipated way. Remember, even the NSA left key tools on an unsecured server accidentally.

Well, if your data is compromised and it is encrypted, you have a parachute. The exfiltrator does not actually have access to the data itself. In most cases, it's not a breach. Which means you’re spared all the headaches that go with a breach: regulators, mandatory reporting, required notices, loss of goodwill, the embarrassment.